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The Orion Crew Module (CM) is NASA’s next generation manned space vehicle, scheduled to return 
humans to lunar orbit in the coming decade. The Orion avionics and GN&C architectures have 
progressed through a number of project phases and are nearing completion of a major milestone. The first 
unmanned test mission, dubbed “Exploration Flight Test One” (EFT-1) is scheduled to launch from 
NASA Kennedy Space Center late next year and provides the first integrated test of all the vehicle 
systems, avionics and software. 

The EFT-1 mission will be an unmanned test flight that includes a high speed re-entry from an 
elliptical orbit, which will be launched on an expendable launch vehicle (ELV). The ELV will place CM 
and the ELV upper stage into a low Earth orbit (LEO) for one revolution. After the first LEO, the ELV 
upper stage will re-ignite and place the combined upper stage/CM into an elliptical orbit whose perigee 
results in a high energy entry to test CM response in a relatively high velocity, high heating environment. 
While not producing entry velocities as high as those experienced in returning from a lunar orbit, the 
trajectory was chosen to provide higher stresses on the thermal protection and guided entry systems, as 
compared against a lower energy LEO entry. However the required entry geometry with constraints on 
inclination and landing site result in a trajectory that lingers for many hours in the Van Allen radiation 
belts. This exposes the vehicle and avionics to much higher levels of high energy proton radiation than a 
typical LEO or lunar trajectory would encounter. As a result, Van Allen radiation poses a significant risk 
to the Orion avionics system, and particularly the Flight Control Module (FCM) computers that house the 
GN&C flight software. 

The measures taken by the Orion GN&C, Flight Software and Avionics teams to mitigate the risks 
associated with the Van Allen radiation on EFT-1 are covered in the paper. Background on the Orion 
avionics subsystem is provided, as well as an overview of the GN&C software architecture. The 
measures taken to handle radiation induced failure of the one or both of the FCM’s are presented, and 
finally simulation and actual hardware-in-the-loop (HWIL) results are shown confirming the validity of 
the implementation. 

The paper presents an overview of the Orion avionics architecture describing the GNC sensors, 
onboard data network as well as the flight control computers and their planned restart capabilities. GN&C 
sensors include two Orion Inertial Measurement Units (OIMU’s), a Vision Processing Unit (VPU) to 
process camera images, three barometric altimeters and a single GPS receiver. All of the sensors 
communicate to one of two Power and Data Units (PDU’s). The PDU’s multiplex analog and serial data 
from the sensors and write the data to the Orion Data Network (ODN). The OIMU’s write measurement 
messages directly as onto the ODN, but they are routed through PDU network switches. 

Sensor data are passed via the ODN to the GN&C software application within one of two self- 
checking pair Flight Control Modules (FCM’s). Each self-checking FCM houses identical instances of 
the GN&C application which executes the Orion Flight software, providing fault tolerance for the 
operating FCM hardware for a number of hardware upset events. FCM’s may communicate between one 
another via a “cross channel” data connection on the ODN. Cross channel data serve to ensure 
synchronization of critical events as well as to provide restart data from an operating FCM to a non- 
operating FCM. 
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When radiation upset event conditions are detected by the self-checking pair FCM hardware (or if one 
is intentionally commanded by ground operators), this triggers a restart of the affected FCM hardware 
while the rest of the avionics continue to operate. In the event that the non-restarting FCM is operating 
and uninhibited it continues to fly the vehicle closed loop without interruption. However for EFT-1 there 
is also a real, although low probability chance that the secondary FCM may not be operational at the time 
of the restart. This constitutes what is referred to as a dual FCM restart and was deemed to be significant 
enough of a risk to the program to develop a solution in software. In the dual restart case a combination 
of data stored in non-volatile FCM memory and auxiliary VPU hardware is used to provide enough 
critical data to restart the FCM(s) without an active counterpart. In either restart case, all of the critical 
GN&C flight software states and data must be transferred to the restarting FCM and utilized in the 
application software to initialize all the algorithms at the appropriate point in the mission event sequence. 
The paper presents a high level overview of the embedded restart logic on each FCM for determining 
upon restart or power up whether one of the restart cases is encountered or if the vehicle is proceeding 
through a nominal power up on the launch pad. 

The GN&C software executes on one of the many software partitions allocated on each FCM. This 
paper presents an overview of the EFT-1 GN&C software architecture with a heavy focus on navigation, 
as most of the complexity in performing inflight restarts deals with restarting the navigation software. 
The timing and rate monotonic scheduling scheme is summarized to provide background for the sections 
that discuss how the multi-rate navigation system is re-anchored to the current Orion time during the 
restart process. 

The Orion GN&C software architecture includes a GN&C command interface (GCI) that provides 
moding commands and configuration data to navigation, guidance and control domain modules. 
Automated sequences are enacted within GCI by sequencing through data configurable activities loaded 
onto the vehicle via Separately Loadable Databases (SLDBs). Each activity consists of the appropriate 
mode commands and configuration data needed to accomplish the activity objective. GCI also contains 
software to perform automated transitions between activities based on data configurable transition 
criteria. The vehicle “Timeline Manager (TM)” is responsible for coordinating event transitions across all 
vehicle subsystems including GN&C, and the interface for communicating changes across all subsystems 
is through “mission segments”. Within the GN&C subsystem, GCI responds to a new mission segment 
by kicking off a new sequence of activities. Transitions between mission segments within the TM 
software are often based on state data and flags provided by GN&C. While all of the GN&C state data 
cannot be synchronized between the FCMs, transitions between the high level segments are synchronized 
to ensure that segment boundaries could never occur at slightly different times within each FCM. This 
critical event synchronization is accomplished by including the transition status of the counterpart FCM 
in the segment transition criteria. The paper describes the critical state data exchanged between TM and 
GCI counterpart instances in order to ensure that vehicle configuration parameters, sequencing 
information as well as command data are preserved during a restart. 

The navigation software is naturally sensitive to initial conditions during an inflight restart. Only a 
subset of the navigation filter states can be provided to initialize navigation filters in the restarting FCM, 
and the specific solution determined in each FCM is naturally subject to many details including 
measurement processing, accept/reject counters and other nuances. Therefore the navigation software 
instances on each FCM will naturally produce slightly different solutions, although neither is more correct 
than the other. This aspect of the Orion design produces more complexity in the GN&C system 
particularly when switching from one FCM as the active flight computer since the closed loop system will 
invariably have to tolerate slight transients as the process of switching FCMs completes. The paper 
discusses of the issues surrounding this complexity and the mitigation steps taken to ensure robustness for 
the EFT-1 and future missions. 

The navigation software is divided in to two “channels” associated with each of the redundant Orion 
IMUs. Each channel includes both filtered and inertial solutions. The filtered solutions incorporate GPS 
measurements within a 1 Hz Extended Kalman Filter (EKF) that interacts with a 40 Hz inertial 
propagator. In addition a separate, inertial solution is maintained on the vehicle for each navigation 
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channel to provide a backup for the filtered navigation solution taking measurements from the Orion GPS 
receiver which has never been flown in an exo-atmospheric environment. The paper discusses the 
mechanisms for initializing both the filtered and inertial states during a restart as well as the navigation 
trades used to identify and prioritize the subset of navigation filter states that passed between FCMs. 
Additionally other non-navigation algorithms also require cross channel initialization, including fault 
detection, isolation and recovery (FDIR) and entry guidance algorithms. Finally, after describing the 
software architecture and necessary navigation features required to support single and dual FCM restarts, 
the effect on the navigation system performance is quantified. This is achieved through several methods 
including analysis of the EFT-1 mission trajectory and nominal mission timeline, the navigation EKF 
implementation and parameterization, as well as Monte Carlo simulation results. In addition, operational 
considerations are covered as part of the study, including the implications of restarts upon telemetry and 
how the automated restart process may be monitored from the ground. Flight rules affected by FCM 
restarts are discussed, along with rules that govern the use of available ground commands such as a 
contingency navigation state update/replacement. Operational implications for future Orion missions are 
also touched upon. Ultimately, robustness to radiation induced inflight restarts is shown within the 
GN&C system for a variety of stressing yet possible outcomes, to significantly increase probability of 
mission success for the EFT-1 mission. 


3 

American Institute of Aeronautics and Astronautics 



